Apple Exposed – the Value of Bug Bounties
A version of this post originally appeared in the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter.
You know how they say most crime victims know their attacker? Two incidents this week suggest this holds true in the case of cyber-crime too.
The culprit in both cases was none other than Apple — not some sketchy Android app created who-knows-where. It turns out the iPhone’s software contains a “very high severity issue” that could let hackers steal passwords with nothing more than a text message. Meanwhile, a second vulnerability allows snoops to exploit FaceTime and listen in on your calls.
Apple has issued patches for both problems but this won’t help unless you, and this is probably worth shouting: UPDATE YOUR SOFTWARE. After all, those update notifications on your phone aren’t there for nothing.
The Apple incidents are also a reminder of the value of bug bounty programs that companies use to pay people to expose their software flaws. It might cost firms a tad of money and embarrassment, but it’s infinitely better than letting bad guys find the flaws first. If you have doubts, take it from Google’s former head of spam, who brought up bug bounties in the context of a clever phone scam:
Ironically, Apple is alone among major tech companies in not offering a bug bounty program. While everyone from Uber to the Pentagon is offering bounties these days, Apple remains a hold-out. (The FaceTime and message vulnerabilities were reported instead by employees at Cisco and SalesForce – their respective warnings are here and here).
This week’s news may increase the pressure on Apple to finally create a bounty program of its own. But as the New York Times reported in March, the company might have a hard time doing so:
Some security researchers said no bounty Apple could offer now would match the reward they could expect from the underground market.Apple has waited so long that the black market for its flaws has become extremely lucrative, perhaps making any bug bounty program the company would create seem late to the game.
Finally, a bit of personal news: I’m thrilled to say I’m formally teaming up with my colleague Robert Hackett to build up Fortune’s cyber-security coverage, including on our Cyber Saturday newsletter.
Enjoy the rest of your weekend — and download those updates!